Target IP: 192.168.186.84
There are three TCP ports open on the target machine: SSH and HTTPs. There are two HTTP applications running on ports 80 and 8082. I will start enumeration with the HTTP applications on both ports.
Port 80: HTTP
The webpage above is displayed for the HTTP application on port 80. Doing a source-code review shows nothing interesting. Time to perform directory search using gobuster.
Doing a directory search using the command gobuster dir -u http://192.168.186.84/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html,txt output the useful information above.
The /adminer.php page is interesting. It displays the webpage as shown above. Maybe when I have credentials, this application will come useful. The version of this application states 4.7.7 4.8.1.
There is another website with the directory /cms. Browsing through the source-code did not provide anything useful. However, doing a directory search might.
The /info.php page contains useful information about the target machine. It contains the PHP version used by the host, hostname, kernel version, etc.
The /mantisbt page contains a bug tracking application. But this application asks for the login details. Time to enumerate further. After enumerating other ports, I came back to enumerate this application again.
When performing a directory search against /mantisbt using the command gobuster dir -u http://192.168.186.84/mantisbt/ -w /usr/share/wordlists/dirb/big.txt -x php,html,txt , I got interesting pages as shown above.
One of these pages is the /config. This directory contains the configuration files for this Mantis Bug Tracker application. I find two files the most interesting: a.txt and data.sql.
The SQL data dump contains the user administrator with the password root as shown above. However, spraying this against the /adminer.php and /mantisbt did not work. It looks like this account is blocked.
The mantisbt/config/a.txt file contains the hardcoded credentials mantisuser:password@123AS. And spraying this against the /adminer.php worked.
Now I have access to the SQL database for this application. Looks like I can perform SQL commands too! There is an interesting table called mantis_user_table inside the mantis database.
Using the SQL command SELECT * FROM mantis.mantis_user_table;, I obtained two rows. There is another user called tre with the password hash 64c4685f8da5c2225de7890c1bad0d7f. After trying to crack the password hash of tre, I had no luck. However, I find the realname column for tre interesting as it looks like a SSH login.
Spraying the credentials tre:Tr3@123456A! against the different login pages did not work, except for the SSH port! Now I have a foothold on the machine as tre.
Running sudo -l as tre shows all users can execute the binary /sbin/shutdown.
I transferred pspy64 to the target machine. After running it, I notice a binary called /usr/bin/check-system is run every second!
And I have write permission over this binary! I was unable to edit this file using vim, so I used nano. I gave myself higher privileges for the nano editor.
After turning off the machine, and connecting to it again using SSH, I notice I have the SUID bit set for the nano editor.
I edited the /etc/sudoers file to give myself root privileges with sudo.
Now I just have to spawn a bash as root to gain a root shell! And running sudo -l shows I have the privileges I changed inside the /etc/sudoers! I spawned a new root shell using sudo bash. GG!
The local.txt flag once I gained a foothold on the target machine as tre using SSH.
The proof.txt flag once I exploited the check-system binary with file permission weakness.